Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
AnalysisAI
Rack web server interface versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to properly escape regex metacharacters when constructing directory path filtering expressions, causing the Rack::Directory component to expose full filesystem paths in HTML directory listings. An unauthenticated remote attacker can retrieve sensitive path information by requesting directory listings when the configured root path contains regex special characters such as +, *, or ., achieving low-confidentiality impact with CVSS 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
Rack is a modular Ruby web server interface specification (CGI/Rack implemented in gems like WEBrick, Puma, etc.). The vulnerability resides in the Rack::Directory class, which generates HTML directory listings for web-accessible directories. When computing the displayed directory path, Rack::Directory constructs a regular expression to strip the configured root prefix from the full filesystem path. CWE-625 (Permissive Regular Expression) indicates the root cause: the regex pattern is built by directly interpolating the root path string without escaping regex metacharacters. If the root parameter contains characters like '+', '*', '.', '[', or other regex operators, those characters are interpreted as regex syntax rather than literal strings, causing the prefix-stripping regex to fail or match unintended paths. This results in the full filesystem path being included in the HTML output instead of the relative directory path.
RemediationAI
Upgrade Rack to version 2.2.23 (for 2.2.x branch), 3.1.21 (for 3.1.x branch), or 3.2.6 (for 3.2.x branch) or later. For Ruby on Rails applications, this typically requires updating the Gemfile lock via 'bundle update rack'. For standalone Rack-based applications, update the Gemfile and run 'bundle install'. Verify the patched version is active after deployment by checking Rack::VERSION. No workarounds are available short of disabling Rack::Directory listings or ensuring root paths contain no regex metacharacters. See GitHub Security Advisory GHSA-7mqq-6cf9-v2qp for additional details and verification steps.
Same weakness CWE-625 – Permissive Regular Expression
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise High Availability Extension 16.1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Availability Extension 12 SP5 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE CaaS Platform 4.0 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Enterprise Storage 7 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise High Availability Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP1 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP1 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP2 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP2 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP3 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP3 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP6 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP1 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP2 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP2 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP1 | Fixed |
| SUSE Linux Enterprise Server 15 SP1-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP2 | Fixed |
| SUSE Linux Enterprise Server 15 SP2-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3 | Fixed |
| SUSE Linux Enterprise Server 15 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy 4.0 | Fixed |
| SUSE Manager Proxy 4.1 | Fixed |
| SUSE Manager Proxy 4.2 | Fixed |
| SUSE Manager Retail Branch Server 4.0 | Fixed |
| SUSE Manager Retail Branch Server 4.1 | Fixed |
| SUSE Manager Retail Branch Server 4.2 | Fixed |
| SUSE Manager Server 4.0 | Fixed |
| SUSE Manager Server 4.1 | Fixed |
| SUSE Manager Server 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| suse/rmt-server | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18380
GHSA-7mqq-6cf9-v2qp